KCTF2021 第二题南冥神功 wp-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

KCTF2021 第二题南冥神功 wp

2021-5-12 10:08 4405

KCTF2021 第二题南冥神功 wp

neilwu

2021-5-12 10:08

4405

一、解题关键词

迷宫、深度优先搜索

二、ida分析

_main方法

1、输入长度小于48个字符

sub_4AF840((int)&dword_4B8860, "Input your code: ");
sub_4B0AB0((int)&dword_4B8680, v25);
if ( strlen(v25) <= 48 )

2、迷宫地图

v13 = &aS_1[10 * v21 + v9];
 
aS_1
 
S010010011
1100100100
0010111110
0110100100
0010010011
1101110101
0011110101
0110010101
0001001100

3、按照操作进行走图

v7 = (v4 + v5 / 6) % 6;
v8 = v5 + v4;
v9 = v22;
v20 = v7;
v10 = 5 - v8 % 6;
for ( i = 0; ; i = 1 )
{
  switch ( v10 )
  {
    case 1:
      ++v9;
      break;
    case 2:
      v17 = (v21++ & 1) == 0;
      v9 += v17;
      break;
    case 3:
      v12 = (v21++ & 1) != 0;
      v9 -= v12;
      break;
    case 4:
      --v9;
      break;
    case 5:
      v19 = (v21-- & 1) != 0;
      v9 -= v19;
      break;
    default:
      v18 = (v21-- & 1) == 0;
      v9 += v18;
      break;
  }
  if ( v9 > 9 )
    break;
  if ( v21 > 8 )
    break;

其中v10是求解关键，即走图path

4、地图上0变成1即输入code为flag

*v13 = 1;
if ( i == 1 )
{
  ++v4;
  v22 = v9;
  v3 = v25[v4];
  if ( v3 )
    goto LABEL_4;
  goto LABEL_19;
}

三、求flag

S010010011                   S111111111
1100100100                   1111111111
0010111110                   1111111111
0110100100            -->    1111111111  
0010010011                   1111111111
1101110101                   1111111111
0011110101                   1111111111
0110010101                   1111111111
0001001100                   1111111111

根据深度优先搜索对每一个可能的分支路径深入到不能再深入为止，而且每个节点只能访问一次即获得路径
path坐标

(8,9) - (8,8) - (7,8) - (6,8) - (5,8) - (4,7) - (3,8) - (3,9) - (2,9) - (1,9) - (1,8) - (0,7) - (0,6) - (1,6) - (1,5) - (0,4) - (0,3) - (1,3) - (2,3) - (3,3) - (4,3) - (4,4) - (3,5) - (3,6) - (4,6) - (5,6) - (6,6) - (7,6) - (8,5) - (8,4) - (7,4) - (7,3) - (8,2) - (8,1) - (8,0) - (7,0) - (6,0) - (6,1) - (5,2) - (4,1) - (4,0) - (3,0) - (2,0) - (2,1) - (1,2) - (0,1)

path[]

1	`1234321234321101210050543450501210121234322321`

根据path可以逆推出falg

char path[] = "1234321234321101210050543450501210121234322321";
char table[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
for (size_t i = 0; i < strlen(path) / 2; i++)
{
    int index = 2 * i;
    int step0 = (5 - (path[index] - 0x30)) - index / 2;
    int step1 = (path[index + 1] - 0x30) - index / 2;
    while (step0 < 0)
    {
        step0 += 6;
    }
    while (step1 < 0)
    {
        step1 += 36;
    }
    int keyIndex = step1 * 6 + step0;
    keyIndex %= 36;
    printf("%c", table[keyIndex]);
}